Virtual private networking (VPN) companies often promote their services as a secure way to safeguard your internet activity from prying eyes. However, recent research suggests that this assumption might be dangerous, especially when connecting to a VPN over an untrusted network. Attackers on the same network could potentially divert a target’s traffic away from the protection offered by their VPN without alerting the user.
When a device attempts to connect to a network, it sends out a broadcast message to the entire local network requesting an internet address. Ordinarily, only the network’s router, responsible for managing the network, responds to this request. This response is facilitated by a Dynamic Host Configuration Protocol (DHCP) server, which assigns IP addresses and sets a designated local address, known as an Internet gateway, through which all connected systems access the web.
VPNs create a secure virtual network interface for communication by establishing an encrypted tunnel. However, Leviathan Security researchers have discovered a potential vulnerability in this setup. They found that it’s possible to exploit an obscure feature in the DHCP standard, known as DHCP option 121, to coerce other users on the local network to connect to a rogue DHCP server.
By running a DHCP server on the same network as a targeted VPN user and configuring it to use itself as a gateway, attackers can intercept and snoop on the user’s traffic. This abuse of DHCP option 121 allows attackers to set up routing rules that take precedence over those of the VPN, effectively diverting traffic away from the VPN’s encrypted interface.
This technique poses a significant threat, allowing attackers to force VPNs to establish new connections and intercept traffic without the user’s knowledge. Leviathan’s research highlights the need for robust security measures, especially on untrusted networks. They recommend using devices that ignore DHCP option 121, relying on cellular hotspots, or running VPNs inside virtual machines to mitigate this risk. However, they caution that even these measures may not offer complete protection against determined attackers.